On Thursday, December 8, 2016 at 10:21:53 PM UTC+2, Gervase Markham wrote: > On 05/12/16 21:10, Wen-Cheng Wang wrote: > > I mean BR Audit is specifically for CAs that provide SSL > > certificates. Therefore, it is not possible to conduct on those > > subordinate CAs that do not provide SSL certificates, > > AIUI, that's not actually true. As we found out recently when discussing > another CA whose name escapes me, it's possible to include a subordinate > CA in an audit even if it's not issuing any certificates. To my understanding, if a CA has not yet issuing any certificate, it is at most to perform "readiness assessment" on that CA because there is still no records or evidences to proof the conformity.
> > As for how to make sure policies and practices of all our CAs fall > > under Mozilla's root policy, every time we received Kathleen's > > notification about the revision of Mozilla's root policy, we reviewed > > our CP of the Government PKI and CPSs of all CAs seriously. If > > necessary, we will make amendments to our CP and CPSs so that they > > can aligned with Mozilla's root policy and we will reply what we plan > > to do for responding the change of Mozilla's root policy to Kathleen. > > Since we have conducted WebTrust for CA audits on the whole > > Government PKI (including the root CA and all its subordinate CAs), > > the audit results can assure our CAs are all compliant to Mozilla's > > root policy. > > Our root policy also requires (or will soon require) a BR audit to cover > all sub-CAs technically capable of issuing server certs. Currently, in our Government PKI, GCA is the only sub-CA approved, in its CPS, by the government Policy Management Authority (PMA) to issuing SSL certificates. For other subordinate CAs, if they want to issue SSL certificates, they must amend their CPSs and get approved by the government PMA. For subordinate CAs that currently does not intend to issuing SSL certificates, they have no SSL certificate practices or procedures to be disclosed in their CPSs. In such situations, we think it will be not much meaningful to conduct the BR audit on them. After all, the main scope of the BR audit is to exam the conformity of SSL certificate practices or procedures. Please see also in the WebTrust for Certification Authorities - Audit Applicability Matrix (http://www.webtrust.org/principles-and-criteria/item83665.pdf), it says that the BR Audit (WebTrust for CA - SSL Baseline + Network) is not required for Government CAs or Commercial CAs which only issuing certificates for all other uses. Wen-Cheng Wang _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
